Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-05-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe
-
Size
260KB
-
MD5
450d8c68e01b7c086e5d195a594a5ad4
-
SHA1
06fffef49449302cba0f659ae6221150e3cfa163
-
SHA256
a84ea5c3902e7e6d2d4ace96b238e43d79054295b18426a73bfb9f5877f532ca
-
SHA512
f46bd8231342a6ee2ed0709f6d08d00f6dd92e130214b2f7fcbfcbe9d1acb92709d96a199284f634826e3d65b4c4b29b6d3290b42cfc20cd06d2f91c9e5ed509
-
SSDEEP
6144:QAeZHGAD/E/iG5UzMh2msfgB9mnkDO9L:zeYA4/icSRmagmn4O9
Malware Config
Extracted
nanocore
1.2.2.0
3495735yi.zapto.org:1604
127.0.0.1:1604
f2e2838b-8e37-4b10-9388-ba08fbe83deb
-
activate_away_mode
false
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2017-05-12T12:39:20.884264436Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1604
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f2e2838b-8e37-4b10-9388-ba08fbe83deb
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
3495735yi.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
myttxns.exepid process 2616 myttxns.exe -
Loads dropped DLL 2 IoCs
Processes:
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exepid process 1924 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe 1924 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" RegAsm.exe -
Processes:
RegAsm.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
myttxns.exedescription pid process target process PID 2616 set thread context of 3008 2616 myttxns.exe RegAsm.exe PID 2616 set thread context of 2596 2616 myttxns.exe msbuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
RegAsm.exedescription ioc process File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe RegAsm.exe File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exemyttxns.exemsbuild.exepid process 3008 RegAsm.exe 3008 RegAsm.exe 3008 RegAsm.exe 2616 myttxns.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe 2616 myttxns.exe 2616 myttxns.exe 2596 msbuild.exe 2596 msbuild.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
RegAsm.exepid process 3008 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RegAsm.exemyttxns.exemsbuild.exedescription pid process Token: SeDebugPrivilege 3008 RegAsm.exe Token: SeDebugPrivilege 2616 myttxns.exe Token: SeDebugPrivilege 2596 msbuild.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exemyttxns.execmd.exedescription pid process target process PID 1924 wrote to memory of 2616 1924 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe myttxns.exe PID 1924 wrote to memory of 2616 1924 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe myttxns.exe PID 1924 wrote to memory of 2616 1924 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe myttxns.exe PID 1924 wrote to memory of 2616 1924 450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe myttxns.exe PID 2616 wrote to memory of 2868 2616 myttxns.exe cmd.exe PID 2616 wrote to memory of 2868 2616 myttxns.exe cmd.exe PID 2616 wrote to memory of 2868 2616 myttxns.exe cmd.exe PID 2616 wrote to memory of 2868 2616 myttxns.exe cmd.exe PID 2868 wrote to memory of 2500 2868 cmd.exe reg.exe PID 2868 wrote to memory of 2500 2868 cmd.exe reg.exe PID 2868 wrote to memory of 2500 2868 cmd.exe reg.exe PID 2868 wrote to memory of 2500 2868 cmd.exe reg.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 3008 2616 myttxns.exe RegAsm.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe PID 2616 wrote to memory of 2596 2616 myttxns.exe msbuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\450d8c68e01b7c086e5d195a594a5ad4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe" -n2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe" /f3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exe" /f4⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"3⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\msbuild.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\fl.txtFilesize
11B
MD55789e2298841e26059d3ebd7201d57af
SHA1de92102b28e024efab74c94a513489b2cf319aef
SHA256bd2dfb956ffd024799b90335a885cdfa4069df2f1e8279e5dc46bf5d301757f7
SHA5128508dfee3358855691bfe58cf88961f28d3fd07e90db2a5013af82406de36658fe3b18124d22c118aa4a1f29bcfc8f335037d1f495a0ba490eba28f9660f5312
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\myttxns.exeFilesize
260KB
MD5450d8c68e01b7c086e5d195a594a5ad4
SHA106fffef49449302cba0f659ae6221150e3cfa163
SHA256a84ea5c3902e7e6d2d4ace96b238e43d79054295b18426a73bfb9f5877f532ca
SHA512f46bd8231342a6ee2ed0709f6d08d00f6dd92e130214b2f7fcbfcbe9d1acb92709d96a199284f634826e3d65b4c4b29b6d3290b42cfc20cd06d2f91c9e5ed509
-
memory/1924-0-0x00000000741B1000-0x00000000741B2000-memory.dmpFilesize
4KB
-
memory/1924-2-0x00000000741B0000-0x000000007475B000-memory.dmpFilesize
5.7MB
-
memory/1924-15-0x00000000741B0000-0x000000007475B000-memory.dmpFilesize
5.7MB
-
memory/1924-1-0x00000000741B0000-0x000000007475B000-memory.dmpFilesize
5.7MB
-
memory/2596-42-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2596-44-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2596-43-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2596-33-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2596-35-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2596-37-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2596-39-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2596-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2616-17-0x00000000741B0000-0x000000007475B000-memory.dmpFilesize
5.7MB
-
memory/2616-18-0x00000000741B0000-0x000000007475B000-memory.dmpFilesize
5.7MB
-
memory/2616-16-0x00000000741B0000-0x000000007475B000-memory.dmpFilesize
5.7MB
-
memory/2616-46-0x00000000741B0000-0x000000007475B000-memory.dmpFilesize
5.7MB
-
memory/3008-29-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3008-30-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3008-19-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3008-23-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3008-25-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3008-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/3008-28-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3008-21-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB